I know https pages will load slower (overhead) and my experience is that anything that slows down the loading of pages will have an effect on traffic. I had a chart that I made based on tests done in the early part of 1999 and it showed about 3.5% drop for every second delay compared to a base of 7 seconds (using a modem).

I would suspect this is just a part of the problem. There are probably several contributing factors.

Odd as it sounds, I've had customers who were actually frightened away by the IE message about "entering a secure site." They didn't know what it meant, but thought it sounded scary. So, depending on the tech knowledge of your audience, fear could be a contributing factor. But I can't see that being a full 40%...

Is this the type of application where every single page needs to be secure? Or, could you get by with just certain pages being on the [?...]

Depending on what you're offering, you could also try using a non-secure "doorway page" with options for the secure site and the non-secure site, and give explanations of the advantages of each. This has obvious negative consequences if you depend on SE traffic, and on most sites it would be poor usability as well. But I can imagine some applications where this would work.

Isn't this to do with certificates?

I know a lot of times when I have gone onto a new site, FF asks me if I trust the validity of the site's certificate. I think being as your site would offer a new certificate to the user, if they get the same warning as I do with a cancel or continue option, a lot may cancel.

It is apparent I am no expert but sometimes it is the simple things that are to blame. I really don't know anything about certificates, it is just a personal experience.

Is some part of the 40% drop just junk traffic? Hits you never wanted in the first place?

How about rogue / amateur robots, teenie-boppers sucking down your whole site,
one-way spiders that suck bandwidth and never refer real traffic at all?
Couldn't that be part of the drop? -Larry

Are you redirecting from http to https with the same page names, including for bots? What kind of redirect are you using? Is the entire site under https or just the shopping cart section? Have your search enging referrals dropped or is it that the visitors are abandoning the site more quickly?

We're using a "moved permanently" redirect, all pages are secure, we don't have a shopping cart since we aren't selling, just collecting sensitive info. One other factor I didn't mention in the first post is that a lot of our traffic comes from links to our old domain which we redirected a year ago, but the drop in traffic was sudden and coincided with the change to secure pages. Largest factor in the drop is referrals from the SE's, but all categories of referrals have suffered. Thanks to all of you who have responded.

Oops, I was wrong, all pages are NOT secure, only pages with forms for collecting personal information. All other pages are regular http:

What stat are you looking at when you say you have a drop in traffic? Uniques? Page Views? Bandwidth usage?

the drop in traffic was sudden

How sudden? If it's immediate, then it doesn't sound like a search engine issue but more like a server performance problem.

I track traffic on a weekly basis, mainly page views, and concentrate on conversions (filled-in forms) I plot the numbers on a chart, and the curve was showing a nice steady increase over the course of the past year until the last week of Aug. numbers dropped 20% that week and 20% the next week. Stabilized nicely since then but at the lower number. There were no major changes to the site except the change to https:// for the pages that included forms for collecting information.

Does your site have income? Did adding this feature reduce your income? This would be a good indicator of reduced unwanted traffic.

peco:

FF asks me if I trust the validity of the site's certificate

Forgive me if you already know this one, but a site:

secure.mysite.tld

...with a certificate signed for:

www.mysite.tld

...will always give a warning dialog with every browser. That will scare away the very people that the certificate is designed for. As will an out-of-date certificate, of course.

until the last week of Aug. numbers dropped 20% that week and 20% the next week

I think that you were possibly hit by Jagger - that is the order of drop that my site suffered, at that close timing (22 Sep was the main day, but drops were experienced in earlier weeks also). Having said that, my site has climbed back to close to the previous rate.